core/cli
8
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions 1

fix(io): sandbox absolute paths under root in Medium.path

Browse source
This commit is contained in:
Snider 2026-02-02 08:11:01 +00:00
parent e4ee8d2328
commit 4e5a361035
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pkg/io/local/client.go
View file

@ -25,6 +25,7 @@ func New(root string) (*Medium, error) {
// path sanitizes and returns the full path.
// Replaces .. with . to prevent traversal, then joins with root.
// Absolute paths are sandboxed under root (unless root is "/").
func (m *Medium) path(p string) string {
if p == "" {
return m.root
@ -35,7 +36,12 @@ func (m *Medium) path(p string) string {
if len(clean) == 3 && clean[1] == ':' && (clean[2] == '\\' || clean[2] == '/') {
return clean
}
return filepath.Clean(clean)
// If root is "/", allow absolute paths through
if m.root == "/" {
return filepath.Clean(clean)
}
// Otherwise, sandbox absolute paths by stripping leading /
return filepath.Join(m.root, strings.TrimPrefix(clean, "/"))
}
return filepath.Join(m.root, clean)
}